Re: [Vserver] Template server files

2004-10-27 Thread Dennis Roos
On Sun, 2004-10-24 at 13:25, Tor Rune Skoglund wrote:
> Hi List,
> 
> when trying to make a good template server, one obviously has
> to start and enter the virtual server and test the installation 
> of it, add some programs, make config changes in it and so on.
> 
> But when using it as a template, some files must be removed
> or altered before it is made "production ready". AFAICS at
> least these have to be changed/deleted:
> 
> * ssh keys 
> * shell history file
> * root password setting
> * any standard users password settings
> 
> I am sure there are more, so if any of you experts out there
> has additions to the list, please mail me or the list. 
> I'll make a summary on the wiki afterwards.
For a gentoo based vserver,  I use the following script(s)
- I am assuming a cron daemon is installed within the template:

Within the /vservers/TEMPLATE/etc/cron.daily I put:
#update-template.cron
#!/bin/bash

sync
emerge rsync
sleep 10
emerge --buildpkg --update world

/usr/sbin/fixpackages
/usr/sbin/env-update
/sbin/depscan.sh


# Clean up root data
rm -f /root/dead.letter
rm -rf /root/.ssh/*

echo > root/.bash_history
echo > root/.bashrc
echo > root/.bash_profile


After this cronjob is finished - to be sure at 6am, from the Host
crontab I run the following:
#update_template.sh
#!/bin/bash

umask 0077

CURDATE=`date +%d%m%Y`


if [ "x$1" = "x" ] ; then
TEMPLATE="template-$CURDATE"
TEMPLATE_DIR="TEMPLATE"
else
TEMPLATE="$1"
TEMPLATE_DIR="$1"
fi

TEMPFILE="/tmp/exclude_$TEMPLATE_DIR"

cat exclude_template | sed "s/TEMPLATE/$TEMPLATE_DIR/g" > $TEMPFILE
tar -X $TEMPFILE -C /vservers -cpf /vservers/$TEMPLATE.tar $TEMPLATE_DIR
bzip2 -9 /vservers/$TEMPLATE.tar

rm -f $TEMPFILE

exit 0


And the exclude tree looks like this
#exclude_template
TEMPLATE/root/*
TEMPLATE/proc/*
TEMPLATE/dev/pts/*
*distcc*
TEMPLATE/tmp/*
TEMPLATE/usr/portage/*
TEMPLATE/var/tmp/*
TEMPLATE/var/lib/init.d/started/*
TEMPLATE/etc/cron.daily/update-template.cron
TEMPLATE/var/spool/cron/lastrun/*

There are some additional things to change when deploying the template:
* I change /etc/ssh/sshd_config where I set the Listen option to the IP
of the vserver


> Also, I do not know how well vserver-copy or other copy tools 
> handle such files, as the documentation seems to be a bit
> sparse on the tools. Any enlightment on these matters will
> be highly appreciated.
I can't help you with that, I have no experience with these tools ;)

> Best regards
> Tor Rune Skoglund
> [EMAIL PROTECTED]
> 
> ___
> Vserver mailing list
> [EMAIL PROTECTED]
> http://list.linux-vserver.org/mailman/listinfo/vserver
-- 
Regards,
Dennis Roos


Network Engineer
InTouch N.V.
Middenweg 76
1097 BS Amsterdam
Tel: +31 (0)20 6752060
Fax: +31 (0)20 6758429


___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver


Re: [Vserver] Template server files

2004-10-24 Thread Gregory (Grisha) Trubetskoy

Here is what we do in OpenVPS. This is Fedora biased.
I think the utils strategy is copy-everything-then-unify, whereas we stuck 
to hardlink-as-you-copy-then-leave-it-alone. Either strategy is fine, it 
probably more depends on what you're doing. In our case the vserver is 
intended to passed to a client/customer/etc, so it's best not to touch 
those files once they're released, which why we've been avoiding vuinify.

We pretty much follow these steps:
1. Build a reference server like any other server (there is more than one 
way to do it, we just use rpm and then manually adjust little things, the 
vserver utils use the magic of apt to do it).

2. There is a "fixflags" script. It walks the tree and sets certain things 
immutable (iunlink to be exact). The strategy is similar to what vunify 
does - we rely on RPM package information, if a file is marked as "config" 
it is not flagged with iunlink.

3. To make a vserver you have a "clone" script. The clone script makes 
hard links to files that are iunlink, and copies most everything else. 
Some files are not copied, but just created (touched). The specific "clone 
rules" we use look like this (these rules make an assumption that the 
reference server is in a pristine state, otherwise you'd need a more 
elaborate set of rules):

CLONE_RULES = {
'copy'  : ['/etc', '/var', '/root', '^/dev'],
'touch' : ['/var/log', '/var/run', '\.bash_history'],
'skip'  : ['ssh_host_', '.pem$', '/proc/', '/var/tmp/',
   '/var/cache/.*/.+']
}
(this is in python, btw)
This means /etc is always copied, everything in /var/log is always 
"touched", .pem files are skipped, etc.

4. If you update the reference server, just go ahead and do it, and 
remember to run the fixflags afterwards, or the clone step will not 
hardlink the new files because they're not iunlink.

Haven't tried vserver-copy, it probably does something similar.
Grisha
On Sun, 24 Oct 2004, Tor Rune Skoglund wrote:
Hi List,
when trying to make a good template server, one obviously has
to start and enter the virtual server and test the installation
of it, add some programs, make config changes in it and so on.
But when using it as a template, some files must be removed
or altered before it is made "production ready". AFAICS at
least these have to be changed/deleted:
* ssh keys
* shell history file
* root password setting
* any standard users password settings
I am sure there are more, so if any of you experts out there
has additions to the list, please mail me or the list.
I'll make a summary on the wiki afterwards.
Also, I do not know how well vserver-copy or other copy tools
handle such files, as the documentation seems to be a bit
sparse on the tools. Any enlightment on these matters will
be highly appreciated.
Best regards
Tor Rune Skoglund
[EMAIL PROTECTED]
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver


[Vserver] Template server files

2004-10-24 Thread Tor Rune Skoglund
Hi List,

when trying to make a good template server, one obviously has
to start and enter the virtual server and test the installation 
of it, add some programs, make config changes in it and so on.

But when using it as a template, some files must be removed
or altered before it is made "production ready". AFAICS at
least these have to be changed/deleted:

* ssh keys 
* shell history file
* root password setting
* any standard users password settings

I am sure there are more, so if any of you experts out there
has additions to the list, please mail me or the list. 
I'll make a summary on the wiki afterwards.

Also, I do not know how well vserver-copy or other copy tools 
handle such files, as the documentation seems to be a bit
sparse on the tools. Any enlightment on these matters will
be highly appreciated.

Best regards
Tor Rune Skoglund
[EMAIL PROTECTED]

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver